Full security details for BackHub data, application, infrastructure and corporate levels.
BackHub is hosted on Amazon Web Services (AWS). AWS is a comprehensive cloud computing platform that features enterprise compute power and data storage along with a broad range of IT solutions and utilities.
Data center accreditation and provisions
BackHub data centers are accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX).
BackHub’s data centers provide 24/7 manned security, video surveillance, and biometric access control, as well as multi-factor authentication locks. Here are more details about Amazon Web Services (AWS) security and privacy.
Data center locations
All BackHub data centers are located in Germany. To minimize environmental risks, including flooding, extreme weather, and seismic activity, we select our data center locations according to optimal geographic assessments.
BackHub services are provided on fully-provisioned, redundant servers in case of failure. Redundant servers may include replica databases, multiple load balancers, and web servers. BackHub takes servers out of operation as part of our regular maintenance without any impact to availability.
BackHub creates regular encrypted backups of our data storage on Amazon Web Services (AWS). Encryption at rest and in transit is provided for all backups. In each 24 hour period, BackHub captures a full backup of customer data.
Production data loss is not a likely event, but should it ever occur, we restore all data from these backups.
We maintain backups for 30 days. After 30 days, the backups and all their data are destroyed in a secure manner.
To prevent unauthorized access, BackHub maintains comprehensive transactional logs of all monitored system actions. Logs are pushed to a dedicated logging instance to prevent manipulations.
Third party services
For the list of all third party services that support BackHub, see the Data Processing Agreement (DPA) in Appendix 4.
Encryption standards and practices
We adhere to the same type and degree of encryption as that of financial institutions. BackHub applies the industry standards HTTPS, 256-bit SSL, and AES. All databases are encrypted at rest and in transit. For credentials, all secrets are stored in an encrypted and access-restricted database. Third parties can neither view nor access BackHub network communications.
Users must be authenticated in order to gain access to BackHub. BackHub uses different types of authentication, all designed and provided by GitHub, adhering to OAuth standards. Tokens are never stored persistently on our side, but instead are requested from GitHub on demand.
User tokens are encrypted in transit and at rest, and have a very limited lifetime, after which they expire. We do not rely on user passwords, but instead on GitHub Authentication mechanisms. We never ask a customer for their user password or token.
User and application permissions
Access to a customer’s GitHub user is limited to a given scope. BackHub requests the minimal set of required GitHub permissions. Installations of BackHub require read-only permissions, limited to those resources that are stored in the backups. Customers can revoke any of these permissions at any time in GitHub settings.
Subscriptions and payments are handled via the GitHub Marketplace. For enterprise plans and customers who have migrated from BackHub basic, payments are captured and stored securely by Stripe, a payment processing service that has been audited by a PCI-certified author.
The certification level of Stripe is PCI Service Provider Level 1, which is the most stringent standard in the payments industry. In addition, for all services, Stripe forces HTTPS using TLS (SSL), and encrypts card numbers on disk using AES-256. Decryption keys are stored on separate machines. Learn more about Stripe security and privacy.
Data access and privacy
BackHub commissions risk assessments to identify possible vulnerabilities in security or systems. We work to resolve all severe and critical issues with highest priority.
Downtime reporting and notification
Our platform minimizes the need for downtime, including common system upgrades that could necessitate an outage. In the rare event of scheduled downtime, we notify customers by email at least 24 hours in advance.
The current status of our application is constantly monitored and publicly reported on our status page.
We request that you immediately report any and all suspected security or privacy incidents via technical, physical, or logical means to firstname.lastname@example.org for priority ticketing and resolution management.
BackHub also keeps specialists on retainer to assist in the event of any intrusion, data breach, DDoS attack, or other issues requiring additional support.
General Data Protection Regulation (GDPR)
BackHub is compliant with the General Data Protection Regulation (GDPR). GDPR’s mission is to protect the private information of EU citizens and give them more control of their personal data. For businesses, GDPR aims to provide a more level playing field. Contact us for more details on how we comply with GDPR.
BackHub management does thorough reference checks on all applicants prior to employment. When an employee is terminated, management immediately revokes all privileges and updates all relevant credentials.
Continuous Integration / Continuous Deployment (CI/CD)
BackHub uses continuous integration and deployment (CI/CD). This means that all code changes are committed, tested, built and shipped in a predefined and automated way. This decreases the likelihood of security issues while improving the internal response time to bugs and vulnerabilities and their effective eradication.
All BackHub employees receive onboarding and training on our development and production environment, infrastructure, coding guidelines, security policies, and deployment process.